-
Notifications
You must be signed in to change notification settings - Fork 9
Sealed secrets
Cris Simpson edited this page Oct 14, 2025
·
3 revisions
Sealed secrets allow encrypting secrets that may be then be safely checked into git.
About sealed secrets
Create Secret file (plaintext.json)
{
"kind": "Secret",
"apiVersion": "v1",
"metadata": {
"name": "paws-secrets", <-- wrapper name
"creationTimestamp": null
},
"data": {
"SECRET1": "secretsecret",
"SECRET2": "supersecret"
}
}
Replace the key values with the base64-encoded values:
{
"kind": "Secret",
"apiVersion": "v1",
"metadata": {
"name": "paws-secrets", <-- wrapper name
"creationTimestamp": null
},
"data": {
"SECRET1": "c2VjcmV0c2VjcmV0Cg==",
"SECRET2": "c3VwZXJzZWNyZXQK"
}
}
Seal (encrypt) the secret kubeseal --cert server_pub.pem -f plaintext.json -w sealed.json
kubeseal usage
The sealed file can now be checked into git